analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample_107.zip

Full analysis: https://app.any.run/tasks/201d03a6-dc29-40f0-8896-2b569238c19e
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 10:48:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
necurs
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

543967F1E1C23781C1B5BE9C4932EB4B

SHA1:

C6060F800D4BF76C7D3423FE9611D5250537EF68

SHA256:

AA50CC8FC4AE461FBAD17789C4F91C66A28E2DD6918DAEA98721B6762AE0CC32

SSDEEP:

6144:qkUE1dNUGoIBMJh/TqvH2oJEHPnubFaaDC7RBIZNB:TsLj/Ovj0IZDCDIZNB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • sample_107.exe (PID: 2580)
      • sample_107.exe (PID: 3840)
      • syshost.exe (PID: 3032)

    • NECURS was detected

      • syshost.exe (PID: 3032)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2944)
      • sample_107.exe (PID: 2580)
      • syshost.exe (PID: 3032)

    • Starts CMD.EXE for commands execution

      • sample_107.exe (PID: 3840)
      • sample_107.exe (PID: 2580)

    • Executed as Windows Service

      • syshost.exe (PID: 3032)

    • Creates or modifies windows services

      • syshost.exe (PID: 3032)

    • Creates files in the driver directory

      • syshost.exe (PID: 3032)

    • Creates files in the Windows directory

      • syshost.exe (PID: 3032)

    • Connects to server without host name

      • syshost.exe (PID: 3032)

  • INFO

    • Manual execution by user

      • sample_107.exe (PID: 3840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: sample_107/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:05:01 18:48:23
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe sample_107.exe no specs cmd.exe sample_107.exe #NECURS syshost.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample_107.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3840"C:\Users\admin\Desktop\sample_107.exe" C:\Users\admin\Desktop\sample_107.exeexplorer.exe
User:
admin
Company:
Psychsoftpc
Integrity Level:
MEDIUM
Description:
Stack Converter
Exit code:
0
Version:
7.0.0
3828"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\Desktop\sample_107.exe"C:\Windows\system32\cmd.exe
sample_107.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2580C:\Users\admin\Desktop\sample_107.exeC:\Users\admin\Desktop\sample_107.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3032"C:\Windows\Installer\{5AA662C4-33C5-C7FB-5539-04C1345F068B}\syshost.exe" /serviceC:\Windows\Installer\{5AA662C4-33C5-C7FB-5539-04C1345F068B}\syshost.exe
services.exe
User:
SYSTEM
Company:
Psychsoftpc
Integrity Level:
SYSTEM
Description:
Stack Converter
Version:
7.0.0
3676cmd.exe /C del /Q /F "C:\Users\admin\AppData\Local\Temp\5edad849.tmp"C:\Windows\system32\cmd.exesample_107.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
521
Read events
481
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2580sample_107.exeC:\Users\admin\AppData\Local\Temp\5edad849.tmp
MD5:
SHA256:
2580sample_107.exeC:\Windows\Installer\{5AA662C4-33C5-C7FB-5539-04C1345F068B}\syshost.exeexecutable
MD5:258900B115054C8C4DECD1833AEF8432
SHA256:9FCBA29F3286203FE9426EE1E71F749EF2E13C88B4D43578FB32808DF9773F8A
3032syshost.exeC:\Windows\system32\drivers\1552ad.sysexecutable
MD5:82396AE92683EEE06FA6F9CBB87BD421
SHA256:AF7EA8240F92805A177F14CA509B4A1A1F6D67035EA202029934C00FA1A34F25
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2944.5052\sample_107\sample_107executable
MD5:258900B115054C8C4DECD1833AEF8432
SHA256:9FCBA29F3286203FE9426EE1E71F749EF2E13C88B4D43578FB32808DF9773F8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
syshost.exe
POST
188.138.11.104:80
http://188.138.11.104/iis/host.aspx
DE
malicious
3032
syshost.exe
POST
463
69.172.201.153:80
http://empreus.com/iis/host.aspx
US
html
8.64 Kb
malicious
3032
syshost.exe
POST
188.138.11.104:80
http://188.138.11.104/iis/host.aspx
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
syshost.exe
132.163.96.2:123
nist.expertsmi.com
National Bureau of Standards
US
unknown
3032
syshost.exe
40.113.200.201:80
microsoft.com
Microsoft Corporation
US
malicious
3032
syshost.exe
188.138.11.104:80
Host Europe GmbH
DE
malicious
3032
syshost.exe
129.70.132.37:123
1.pool.ntp.org
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
unknown
3032
syshost.exe
80.153.195.191:123
0.pool.ntp.org
Deutsche Telekom AG
DE
unknown
3032
syshost.exe
69.172.201.153:80
empreus.com
Dosarrest Internet Security LTD
US
malicious

DNS requests

Domain
IP
Reputation
microsoft.com
  • 40.76.4.15
  • 40.112.72.205
  • 40.113.200.201
  • 104.215.148.63
  • 13.77.161.179
whitelisted
kjsvpbpuubby.com
unknown
vdlmaxvhvxfos.com
unknown
hfvnzrwatt.com
unknown
grxurqvbfqwx.com
unknown
nist.expertsmi.com
  • 132.163.96.2
unknown
0.pool.ntp.org
  • 192.53.103.108
  • 80.153.195.191
  • 62.128.1.18
  • 51.38.105.7
whitelisted
1.pool.ntp.org
  • 129.70.132.37
  • 217.144.138.234
  • 138.201.16.225
  • 5.9.83.106
whitelisted
caremid.biz
unknown
empreus.com
  • 69.172.201.153
malicious

Threats

PID
Process
Class
Message
3032
syshost.exe
A Network Trojan was detected
ET TROJAN Win32/Necurs
3032
syshost.exe
A Network Trojan was detected
ET TROJAN Win32/Necurs
3032
syshost.exe
A Network Trojan was detected
ET TROJAN Win32/Necurs
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample_107.zip